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[57] ABSTRACT 

A dynamic network security system (20) responds to a 
security attack (92) on a computer network (22) having a 
multiplicity of computer nodes (24). The security system 
(20) includes a plurality of security agents (36) that concur- 
rently detect occurrences of security events (SO) on associ- 
ated computer nodes (24). A processor (40) processes the 
security events (50) that arc received from the security 
agents (36) to form an attack signature (94) of the attack 
(92). A network status display (42) displays multi- 
dimensional attack status information representing the 
attack (92) in a two dimensional image to indicate the 
overall nature and severity of the attack (92). The network 
status display (42) also includes a list of recommended 
actions (112) for mitigating the attack. The security system 
(20) is adapted to respond to a subsequent attack that has a 
subsequent signature most closely resembling thb attack 
signature (94). 

19 Claims, 6 Drawing Sheets 
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ADAPTIVE SYSTEM AND METHOD FOR node or set of nodes and one or more of the communication 

RESPONDING TO COMPUTER NETWORK paths network modeling tools can simulate the effects of a 

SECURITY ATTACKS successful attack. Also, additional load can be generated to 

simulate the messaging that might result from an attack, 

FIELD OF THE INVENTION 5 successful or not. Through these methods, the network 

^ . . , „ administrator can gain some knowledge of the robustness of 

■me present mvention re ales generally to compmer ^^^^ „^ ^^^j^,^ mitigation approaches, 

networks, and more particularly to systems and methods for unfortunately, a shortcoming of network modeling tooU is 

adapttvely responding to computer network security attacks. ,^81 they cannot be used in a dynamic manner to dUplay the 

BACKGROUND OF THE INVEl^JTION °f » network Rather, they only display the 

entnes from some network description data base. 

Network security management is becoming a more difB- Static analyzers are tools that may be used by a network 

cult problem as networks grow in size and become a more manager to simulate an attack against his own network, 

integral part of organizational operations. Attacks on net- static analyzers can probe for network weaknesses by 

works are growing both due to the intellectual challenge is simulating certain types of security events that make up an 

such attacks represent for hackers and due to the increasing attack. Other tools can test user passwords for suitability and 

payoff for the serious attacker Furthermore, the attacks are security. There are also tools that can search for known types 

growing beyond the current capability of security manage- of security events in the form of malicious programs such as 

mcnt tools to identify and quickly respond to those attacks. viruses, worms, and Trojan horses. Unformnalely, these 

As various attack methods arc tried and ultimately repulsed, 20 tools either test the integrity of the network, or identify a 

the attackers will attempt new approaches with more subtle security event after it has occurred. They do not provide an 

attack features. Thus, maintaining network security is immediate response in the case of an attack made up of 

on-going, ever changing, and an increasingly complex prob- several security events of differing types. 

Dynamic analyzers are tools that are used to monitor 

Computer network attacks can take many forms and any 25 networks and respond at the time of the attack. Dynamic 

one attack may include many security events of different analyzers typically look for specific actions that signify an 

types. Security events are anomalous network conditions attack or compare user actions to previously stored statistics 

each of which may cause an anti-security effect to a com- to identify significant changes. They also provide messages 

puter network. Security events include stealing confidential to the network manager when they sense a possible security 

or private information; producing network damage through event. However, this latter mechanism leads to a significant 

mechanisms such as viruses, worms, or Trojan horses; problem for network capacity if the number of security 

overwhelming the network's capability in order to cause events were so large that the trouble message for an attack 

denial of service, and so forth, consumes all or a significant portion of the available band- 

The first line of defense against all of these types of width. Another problem with dynamic analyzers is that they 

security events is typically the denial of access through good work primarily on a nodal basis. Thus, they are unable to 

passwords and strong firewalls at the nodal level of a amalgamate the security events occurring at a multiplicity of 

computer network. However, one of the unintended conse- nodes in a computer network to obtain a network view of an 

quenoes of security systems that defeat attempts to steal attack. So dynamic analyzers may miss the significance of a 

information or produce network damage and report the coordinated series of low level security events at multiple 

status is that repelling a large scale attack may lead to such nodes. Also, because of their nodal orientation, their reports 

a large number of trouble messages as to overwhelm the tend to be presented as lists of data that can be difiScult to 

network and lead to denial of service simply by the volume evaluate quickly in the event of a large scale attack, or an 

of messages. attack that involves many security events at many nodes. 

A large network is likely to concurrently experience ^5 Thus, what is needed is a system and a method that has the 

security events at some or multiple nodes on a frequent capability of providing a network view of an attack as the 

basis. Many of these security events are likely to be of low attack is occurring. Furthermore, what is needed is a system 

sophistication and easily repulsed by the protection software and method for displaying attack information in a usable and 

and systems at the affected nodes. Thus, real-time reporting quickly interpretable form to a network manager while 

of these security events can be counter productive when the jq minimizing the loading on the computer network. If an 

reporting uses large amounts of bandwidth. However, a attack occurs at a time of stress, a network manager may be 

coordinated series of even low sophistication security events overwhelmed with both responding to an attack and provid- 

may indicate a real problem that must be addressed to ing operational control and messages through the network, 

maintain the network's capability and effectiveness. Thus, what is needed is a system and a method that provides 

Some conventional security management tools available 55 a network manager with knowledge of the severity and 

to a network manager for determining the effects of attacks overall nature of the attack, what its expected impact could 

fall into three categories, network modelers, static analyzers ^ of recommended actions. In addition, what is 

and testers, and dynamic analyzers. needed is a system and method that has the ability to evolve 

Network modeling tools are popular for the original with evolving threats to effectively mitigate new approaches 

design and updating of networks. They typically are con- 60 '° network attacks. 

figured with various communication protoco^ and node SUMMARY OF TOE INVENTION 
types and can depict the hierarchy of the network along with 

symbols for the various types of nodes in the network. They The present invention provides, among other things, a 

also have load generation modules to help the designer method of operating a dynamic network security system to 

arrive at the needed capacity on the nodes and transmission 6S respond to a plurality of attacks on a computer network. In 

paths. Network modeling tools are used to answer "what if one embodiment, the method comprises the steps of training 

types of analysis questions. For example, by eliminating a the security system to respond to a plurality of training 
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signatures, each of the training signatures representing one 
of a plurality of simulated attacks, receiving a first attack 
signature, the first attack signature being configured to 
characterize a first one of the plurality of attacks, comparing 
the first attack signature to each of the training signatures to 
determine which of the training signatures most closely 
matches the first attack signature, displaying attack status 
information in a network status display in response to the 
first attack signature and a most closely matching training 
signature and adapting the security system to respond to a 
second one of the plurality of attacks, the second attack 
being characterized by a second attack signature that 
resembles the first attack signature. The adapting step, in one 
embodiment, comprises the steps of introducing the first 
attack signature to the security system as a new training 
signature, and mapping the new training signature into the 
network status display. 

The present invention, in another embodiment, provides a 
dynamic network security system for responding to a secu- 
rity attack on a computer network. The computer network 
has a multiplicity of computer nodes. The system comprises 
a plurality of security agents configured to concurrently 
detect occurrences of security events on associated ones of 
the computer nodes, the security events characterizing the 
attack, a processor in data communication with the security 
agents and configured to process the security events to form 
an attack signature, and a network status display in com- 
munication with the processor and configured to display 
attack status information in response to the attack signature, 
the attack status information being representative of the 
attack. In one embodiment, the processor is trained to 
respond to a plurality of training signatures, each of the 
training signatures representing one of a plurality of simu- 
lated attacks, and the processor is further configured to 
compare the attack signature to each of the training signa- 
tures to determine which of the simulated attacks most 
closely matches the attack. The network status display 
presents a display map divided into a pluraUty of display 
cells and each of the training signatures is mapped into the 
display cells prior to the attack. The di^lay cells are divided 
into a plurality of regions, the regions being configured to 
indicate an attack type and severity of the attack. 

BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete understanding of the present invention 
may be derived by referring to the detailed description and 
claims when considered in connection with the Figures, 
wherein Uke reference numbers refer to similar items 
throughout the Figures, and: 

FIG. 1 shows a block diagram of a dynamic network 
security system in a computer network in accordance with a 
preferred embodiment of the present invention; 

FIG. 2 shows a flowchart of a system training subprocess 
in accordance with a preferred embodiment of the present 
invention; 

FIG. 3 shows an exemplary database of simulated attack 
information for a plurality of simulated attacks in accor- 
dance with a preferred embodiment of the present invention. 

FIG, 4 shows a display map which forms a portion of a 
network status display in accordance with a preferred 
embodiment of the present invention; 

FIG. 5 shows a flowchart of an attack response process 
performed by the dynamic network security system in 
accordance with a preferred embodiment of the present 
invention; 

FIG. 6 shows a table 90 of informational elements of a 
first attack having a first attack signature in accordance with 
a preferred embodiment of the present invention; and 
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FIG. 7 shows the network status display in accordance 
with a preferred embodiment of the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

5 FIG. 1 shows a block diagram of a dynamic network 
security system 20 in a computer network 22 in accordance 
with a preferred embodiment of the present invention. 
Security system 20 is represented by a dashed line to 
illxistrate that system 20 may be incorporated into an already 

10 existing network. 

Computer network 22 includes a plurality of nodes 24. A 
computer device 26 is located at each of nodes 24. Computer 
device 26 may be a personal computer workstation or any 
other peripheral microprocessor based system. Nodes 24 arc 
connected via conventional digital links 28 through area 
servers 30. In turn, area servers 30 are linked via conven- 
tional high speed digital links 32 to a main server 34. 

For clarity of illustration, network 22 is shown with a 
small number of nodes 24, area servers 30, and digital links 
28. However, those skilled in the art will recognize that 
many computer networks have a multiplicity of nodes that 
arc arranged in a far more complicated hierarchical order. 
Furthermore, computer network 22 need not be located in 
one geographical location, for example in a single building 
or town. Rather computer network 22 may include nodes 24 
that are located remotely from one another, for example in 
two or more dififerent states or countries. In such a case, 
remotely located nodes 24 may still be related closely to one 
another in the hierarchical order of network 22. 

Dynamic network security system 20 includes a plurality 
of security agents 36 each of which is associated with one or 
more nodes 24. Security agents 36 are configured to con- 
currently detect occurrences of security events (discussed 

2^ below) on associated computer nodes 24. Security agents 36 
are software programs located at nodes 24 and area servers 
30 that identify security events as they appear at the nodal 
level. Security events may include port scans, malicious 
software, penetration attempts, and others that are identified 
through either a specific code signature or through actions or 
attempts at actions. 

Security system 20 functions in conjunction with existing 
technologies for intrusion detection and other network attack 
recognition techniques. Most security events are defeated at 

45 the node level by the existing technologies such as by 
protection software and systems like firewalls and fillers. 
However, of a greater concern are those security events that 
through cleverness or brute force pass beyond the first lines 
of defense into the interior of the network. Security system 

5Q 20 is configured to recognize and mitigate the effects of the 
security events that pass beyond the first lines of defense 
provided by the existing technologies. 

Data about security events is collected by security agents 
36 and transmitted via links 28, links 32, and a communi- 

55 cation link 38 to a processor 40. In a preferred embodiment, 
processor 40 is a self-organizing map (SOM) processor 
which applies a category of artificial neural network (ANN) 
technology. In another preferred embodiment, processor 40 
is a linear vector quantization (LVQ) processor which 

60 applies a category of artificial neural network (ANN) tech- 
nology. 

ANNs attempt to process data in a manner reminiscent of 
the brain, in that they are given examples of desired behavior 
rather than algorithms. Thus, the most successful applica- 
65 tions of ANNs have been in areas where the specific steps to 
reach a desired result are not known. By suCBcicnt training, 
the ANN begins to identify the important pieces of data and 
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ihe correlations that allow it to reach the correct conclusion. signatures S3 include location identifiers 60. Location iden- 

Thus, SOM processor 40 has the ability to be trained to tifiers 60 identify the nodes 24 in network 22 where security 

respond to various types of input data, the training can be events may take place. Location identifiers 60 are important 

ongoing, and network 22 can change responses to the attack for ascertaining an attack severity 61 for each of simulated 

as the type of attack changes. SOM processors are known to 5 attacks 52. Attack severity 61 is a level of security breach 

those skilled in the art. that one of simulated attacks 52 could cause computer 

SOM processor 40 is configured to process security network 22. The greater attack severity 61, the more dam- 
events to form an attack signature (discussed below). A aging the security breach would be. 
network status display 42 is in communication with SOM Due to the complexity of the hierarchical order of a 
processor 40. Network status display 42 is configured to lo computer network having thousands of nodes, certain 
display attack status information representative of an attack related nodes that are affected by simulated attacks 52 may 
in response to the attack signature. Furthermore, network result in greater overall negative impact or security breach to 
status display 42 in cooperation with SOM processor 40 is computer network 22 (FIG. 1) thus increasing the severity of 
configured to display multi-dimensional data in a two simulated attacks 52. In database 48, attack severity 61 for 
dimensional image (discussed below). 15 each of simulated attacks 52 is shown as low, medium, or 

SOM processor 40 and status display 42 may be incor- high. However, those skilled in the art will recognize that 

porated into the processing and display capabilities of main attack severity 61 may be categorized in many different 

server 34. Alternatively, SOM processor 40 and network forms. Generally, attacks which impact a greater number of 

status display 42 may form a separate microprocessor-based nodes and nodes located higher in the network hierarchy, 

workstation for use by a network manager. such as servers, will be considered to be more severe than 

RG. 2 shows a flowchart of a system training process 44 attacks that impact only isolated workstations, but that is not 

in accordance with a preferred embodiment of the present * requirement. 

invention. As is conventional for systems that apply ANNs, With reference back to FIG. 2, following accessing task 

dynamic network security system 20 (FIG. 1) is trained 46, a task 62 performs first simulated attack 55 (RG. 3) 

before system 20 is used to respond to attacks. having a first training signature 54 on computer network 22 

Process 44 begins with a task 46 which accesses a (F'G. 1). Those skilled in the art will recognize that first 

database of simulated attacks. For clarity of Ulustration, simulated attack 55 is not launched against nodes 24 (FIG. 

FIG. 3 shows an exemplary database 48 of simulated attack 1) of computer network 22, but rather first simulated attack 

information for a plurality of simulated attacks 52 in accor- 3^ 55 is input into dynamic network security system 20 (FIG. 

dance with a preferred embodiment of the present invention. 1) so thai SOM processor 40 (FIG. 1) can receive and 

For purposes of this description, an attack is defined as a process the attack information. 

plurality of security events 50 occurring substantially con- In response to performing first simulated attack 55 in task 

currently in a given sampling period at a plurality of nodes 62, a task 64 causes SOM processor 40 to map first training 

24 (FIG. 1). The sampling period is an arbitrary amount of signature 54 into network status display 42 (FIG. 1). FIG. 4 

time that is of a sufiBcient length to receive enough security shows a display map 66 which forms a portion of network 

events to form an attack signature (discussed below) for an status display 42 in accordance with a preferred embodiment 

attack. of the present invention. Display map 66 is divided into a 

Each of simulated attacks 52 is a prediction of an attack plurality of display cells 68, and each of display cells 68 is 
type (discussed below) that may occur on network 22. 40 mathematically represented by a code vector. 
Simulated attacks 52 are generated by an operator and stored A conventional self-organizating map algorithm, such as 
in database 48. These predictions may be developed using a learning vector quantization algorithm, employed by SOM 
network modeling tools or static analyzers and are based on processor 40 (FIG. 1) is a variant of a known self-organizing 
historical data, attack trends, perceived threats, network map algorithm of a type of artificial neural network tech- 
hierarchy, and so forth. 45 nology. The self-organizing map algorithm plots a vector 

Training signatures 53 for simulated attacks 52 are representative of first training signature 55 onto the two 
defined by a plurality of security events 50 of at least one dimensional array of display cells 68 in such a way that 
security event type 56 in this example. Security events 50 vectors projected onto adjacent display cells 68 are more 
are presented in database 48 in a column 58 as a percentage similar than vectors projected onto distant display cells 68. 
of security events per event type. In other words, column 58 50 ^" ^^^^^ words, simulated attacks that most closely resemble 
represents the numbers of nodes 24 (FIG. 1) affected by each another are mapped into display cells 68 that are 
of security event types 56. A simulated attack includes at physically close to one another in display map 66. 
least one of security event types 56, but more realistically a Display map 66 includes a center region 70, a middle 
simulated attack constitutes several security event types 56 region 72, and an outer region 74. In the preferred 
as illustrated in first simulated attack 55. Each of security 55 embodiment, display cells 68 within center region 70 rep- 
event types 56 are capable of causing an anti-security effect resent a computer network under an attack of low severity, 
on computer network 22. In other words, the attacker is display cells in middle region 72 represent a computer 
performing an unauthorized action on network 22. In this network under an attack of medium severity, and display 
example, security event types 56 include destructive virus, cells in outer region 74 represent a computer network under 
snooping virus, worm, Trojan horse, FTP requests, and so an attack of high severity. 

network overload. However, those skilled in the art will Regions 70, 72, and 74 of display map 66 are further 

recognize that security event types may include these and/or subdivided into subregions 76. Subregions 76 are configured 

additional evolving types of security events relative to the to indicate an attack type. In the exemplary embodiment, 

computer network for which dynamic network security display map is divided into subregions 76, labeled A-F. By 

system 20 (FIG. 1) is used. es way of example, first simulated attack 55 exhibits a high 

In addition to security event types 56 and percentage of occurrence of security event type 56 that is a "snooping 

security events 50 per event type in column 58, training virus" (BG. 3). Snooping virus may be labeled as having an 
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attack type of "A". So, SOM processor 40 (FIG. 1) maps a by conventional software tools installed on computer 

vector representative of first training signature 54 into devices 26 (FIG. 1) such as virus detectors, firewalls, and the 

display cell 68' which is located in middle region 72. Thus, like. 

the division of display map 66 into regions 70, 72, and 74 rn response to task 82. a task 86 is performed through each 
and subregions 76 indicates attack type and attack severity. 5 of security agents 36. Task 86 causes SOM processor 40 to 

When actual attack information from network 22 is then be notified of an outcome of the repulsing task through one 

compared to display map 66, a network manager is provided of security agents 36 associated with that node 24. The 

with attack type and severity in a quickly interpretable form. notification may include data describing a security event 

While, display map 66 provides a useful, quickly inter- type, a location identifier for the node 24, and whether or not 
pretable representation of attacks on computer network 22 lo the attack was successfully repulsed. Following notification 

(FIG. 1), those skilled in the art will recognize that there are task 86, program control proceeds to a task 88. 

any numberofwaysto visually represent attack information. Task 88 causes SOM processor 40 to receive an attack 

However, the key behind the usefulness of display map 66 signature (discussed below) for an attack (discussed below), 

is the appropriate mapping of multi-dimensional vectors for Information from security agents 36 about security events 
training signatures 53 (FIG. 3) that are representative of 15 arc combined at area servers 30 (FIG. 1) in network 22 (FIG. 

simulated attacks 52 into the two dimensional image of i) by security agents 36 associated with area servers 30 that 

display cells 68. may take further action as needed and as possible. The attack 

With reference back to task 64 (FIG. 2). following map- information is then combined and transmitted up computer 

ping of first training signature 54 into display map 66, network 22 to form an attack signature (discussed below), 

process 44 proceeds with a query task 78. Query task 78 ^0 attack signature is received by SOM processor 40 (FIG. 

determines if there is another simulated attack to be input 1) for processing. 

into dynamic network security system 20 (FIG, 1). Although By way of example, FIG. 6 shows a table 90 of informa- 

only first training signature 54 has been discussed in detail, tional elements of a first attack 92 having a first attack 

in order for display map 66 to be accurately mapped, many signature 94 in accordance with a preferred embodiment of 
more simulated attacks 52 are processed by SOM processor 25 ^jj^ present invention. First attack 92 constitutes a number of 

40 (FIG. 1). security events 50, shown in column 96 as percentage 

The mapping of display map 66 (FIG. 4) is performed values, occurring at nodes 24 and categorized by security 

iteratively in a sequence of steps. Each step requires the event types 56, 

presentation of one of training signatures 53, in the form of In conjunction with receiving task 88 (FIG, 5), a task 98 

an input vector, to the array of display cells 68 (each of compiles attack status information regarding first a attack 

display cells 68 being represented by a code vector). The 92. Attack status information may include location identi- 

input vector for one of training signatures 53 is used as an fiers 60, whether or not any of security events 50 were 

argument to an activation function that estimates the simi- repulsed at nodes 24, nodal interrelationships, breadth of the 

larity between the input vector and each of the code vectors attack, expected impact of the attack, and so forth, 

for display cells 68. The most similar code vector represent- Following task 98, a task 100 is performed by SOM 

ing one of display ceUs 68 as well as its neighborhood of processor 40 (FIG. 1). SOM processor 40 compares a vector 

display cells 68 is adjusted to improve response to subse- representative of first attack signature 94 (FIG. 6) to each of 

quent simulated attacks having similar training signatures. training signatures 53 as mapped in display map 66 (FIG. 4). 

When another one of training signatures 53 is available, In response to comparing task 100, a task 102 selects one 

program control loops back to task 46 to access database 48, of training signatures 53 that most closely matches attack 

perform another one of simulated attacks 52, and map a signature. With reference back to FIG, 3, the security event 

vector representative of the training signature into display lypes 56 and frequency of security events 50 shown in 

map 66. When another one of training signatures 53 is not column 58 of training signature 54 most closely resembles 

available, then training process 44 is exiled with initial first attack 92. Those skilled in the art will recognize that 

training complete. Other factors will contribute to the selection of a most closely 

As illustrated in FIG. 3, training signatures for simulated resembling training signature. Other factors may include but 

attacks 52 are multi-dimensional vectors. Those skilled in are not limited to, the location identifiers for each of the 

the art will recognize that it is not necessary to map all aflfecled nodes, network hierarchy, and so forth, 
possible combinations of event types to produce all possible 50 In conjunction with task 102, a task 104 generates a 

types of simulated attacks. Rather, it is desirable to map only mitigation list. A mitigation list is a list of recommended 

enough training signatures 53 to accurately portray a statis- actions that may be taken to mitigate an attack. Some actions 

tically significant number of attack types 76 (FIG. 4) into may include a disconnect of some nodes 24 of network 22, 

display map 66 (FIG. 4). establishment of false targets, providing false, but realistic 

Following system training process 44, dynamic network 55 data, and so forth. The mitigation list may be generated 

security system 20 is configured to respond to a plurality of during training process 44 (FIG. 2) or at any other time by 

attacks on computer network 22 (FIG. 1), FIG, 5 shows a a network administrator after evaluating various training 

flowchart of an attack response process 80 performed by attack scenarios. 

dynamic network security system 20 (FIG, 1) in accordance Following tasks 102 and 104, a task 106 displays attack 
with a preferred embodiment of the present invention, 60 status information and the mitigation fist on network status 

Process 80 is initiated by a network administrator, and once display 42 (FIG. 1), 

initiated, process 80 is ongoing to continually respond to FIG. 7 shows network status display 42 in accordance 

security attacks on network 22. with a preferred embodiment of the present invention. 

Attack response process 80 begins with a task 82, Task 82 Network status display 42 presents display map 66 and an 
detects and repulses or at least attempts to repulse security 65 attack status information list 108 showing security event 

events 50 (FIG. 3) at nodes 24, Task 82 is performed type 56 and location identifiers 60 for first attack 92. Display 

concurrently and autonomously at each of nodes 24 (FIG. 1) 42 also presents an attack signature log 110 which provides 
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current and historical perspective on a given attack record at 
various sample limes. The attack signatures in log 110 are 
the text equivalent of the two dimensional image as high- 
lighted in display map 66. In addition, display 42 includes 
attack mitigation list 112 which is a catalogue of actions that 5 
a network manager may take in order to mitigate first attack 
92. 

As shown in display map 66, multiple display cells 68 arc 
darkened. In the preferred embodiment, one of display cells 
68 is darkened for first attack 92 at a first sample lime. A 
second one of display cells 68 is darkened to illustrate first 
attack 92 at a second sample time, and so forth. The image 
that emerges on display map 66 is network view of attack 92 
and it's progression from a low severity attack shown in the 
darkened display cells 68 of center region 70 to a high 15 
severity attack shown in the darkened display cells 68 of 
outer region 74. Hence, display map 66 provides a means of 
tracking the attack severity and attack type over a period of 
time. 

In an alternative embodiment, network status display 42 
may display only display map 66. Each of the darkened 
display cells may then provide links, in the form of hypertext 
links, to attack status information list 108, attack signature 
log 110, attack mitigation list 112, and any other information 
as needed. 

Referring back to FIG. 5, in response to task 106, a task 
114 mitigates first attack 92. In some cases first attack 92 
may be mitigated automatically by dynamic network secu- 
rity system 20. For example, SOM processor 40 may issue 
instructions to nodes 24 and 30 to not respond to external 
communications or to force new passwords. In other cases, 
mitigation may be activated by a network manager in 
response to attack mitigation list 112. 

Following task 114, a task 116 predicts a pattern for 
subsequent attacks and adapts security system 20 to respond 
to subsequent attacks. Security system 20 is adapted by 
introducing first attack signature 94 into security system 20 
as a new training signature and repeating training process 44 
(FIG. 2). The result of introducing first attack signature 94 
as a new training signature, and mapping a vector represen- 
tative of the new training signature into display map 66, is 
an improved response to subsequent attacks that have sub- 
sequent training signatures that most closely resemble first 
attack signature 94. Thus, security system 20 is able to 
evolve with evolving threats. 

In summary, a system and a method are provided that is 
capable of providing a network view of an attack as the 
attack is occurring. The system and method display attack 



20 



25 



30 



35 



40 



45 



the network status display may be arranged differently. For 
example, the attack severity may increase as an attack is 
displayed moving from the outer region of the display map 
to the inner region of the display map. 
What is claimed is: 

1. A dynamic network security system for responding to 
a security attack on a computer network, said computer 
network having a multiplicity of computer nodes, and said 
system comprising: 

a plurality of security agents, each security agent being 
associated with at least one of the computer nodes and 
located at the associated computer node, each security 
agent being configured to detect occurrences of security 
events on the associated ones of said computer nodes, 
said security events characterizing said attack, said 
security events comprising at least one the group con- 
sisting of performing of an unauthorized action on the 
associated computer node, performing port scans on the 
associated node, operating malicious software on the 
associated computer node, and initiating unauthorized 
penetration attempts on the associated computer node, 
wherein each security agent is configured to transfer 
data about the security events on the associated com- 
puter nodes; 

a self-organizing map (SOM) processor in data commu- 
nication with each of said security agents and config- 
ured to process said data about said security events to 
form an attack signature; and 

a network status display in communication with said 
processor and configured to display attack status infor- 
mation in response to said attack signature, said attack 
status information graphically representing a severity 
of said attack, 

wherein the SOM processor is configured to compare the 
attack signature with a plurality of training signatures 
and respond to the security attack. 

2. A system as claimed in claim 1 wherein said SOM 
processor is a linear vector quantization (LVQ) processor. 

3. A system as claimed in claim 1 wherein: 

said SOM processor is trained to respond to the plurality 
of training signatures, each of said training signatures 
representing one of a pluraUty of simulated attacks; and 

said processor is further configured to compare said attack 
signature to each of said training signatures to deter- 
mine which of said simulated attacks most closely 
matches said attack. 

4. A system as claimed in claim 1 wherein said network 
status display provides a two dimensional image of said 
computer network, and said network status display is con- 



information in a quickly interprelable two dimensional 50 figured to link said attack status infonmation to said two 

image that is provided to a network manager. The system dimensional image. 

and method provide the network manager with knowledge 5. A system as claimed in claim 4 wherein said attack 

of the attack severity and overall nature of the attack, as well status information includes a location identifier and a secu- 

as its expected impact, and a mitigation list of recommended rity event type for each of said security events characterizing 

actions for mitigating ibe attack. In addition, the system and 55 said attack. 



method have the ability to evolve with evolving threats to 
mitigate new approaches to network attacks by employing a 
linear vector quantization algorithm of artificial neural net- 
work technology. 

Although the preferred embodiments of the invention 
have been illustrated and described in detail, it will be 
readily apparent to those skilled in the art that various 
modifications may be made therein without departing firom 
the spirit of the invention or from the scope of the appended 
claims. For example a conventional linear vector quantiza- 
tion algorithm may be employed rather than the self- 
organizing map algorithm. In addition, the display map of 



6. A system as claimed in claim 1 wherein said network 
status display further comprises an attack mitigation list, 
said attack mitigation list being a catalogue of actions to take 
to mitigate said attack. 
60 7. A dynamic network security system for responding to 
a security attack on a computer network, said computer 
network having a multiplicity of computer nodes, and said 
system comprising: 

a plurality of security agents configured to concurrently 
55 detect occurrences of security events on associated 
ones of said computer nodes, said security events 
characterizing said attack; 



12/02/2003, EAST Version: 1.4.1 



6,088,804 

11 12 

a processor in data communication with said security said mapping step positions said first training signature 

agents and configured to process said security events to into said one of said display cells in response to said al 

form an attack signature; and least one security event type and said attack severity. 

a network status display in communication with said 10. A method of operating a dynamic network security 

processor and configured to display attack status infor- 5 system to respond to a plurality of attacks on a computer 

mation in response to said attack signature, said attack network, said method comprising the steps of: 

status information being representative of said attack, training said security system to respond to a plurality of 

wherein said processor is trained to respond to a plurality training signatures, each of said training signatures 

of training signatures, each of said training signatures representing one of a plurality of simulated attacks; 

representing one of a plurality of simulated attacks; and receiving a first attack signature, said first attack signature 

said processor is further configured to compare said attack being configured to characterize a first one of said 

signature to each of said training signatures to deter- plurality of attacks; 

mine which of said simulated attacks most closely comparing said first attack signature to each of said 

matches said attack, and wherein: training signatures to determine which of said training 

said network status display presenu a display map divided signatures most closely matches said first attack signa- 

into a plurality of display cells; and 

each of said training signatures is mapped into said displaying attack status information in a network status 

display cells prior to said attack, and ^^^P^^^ response to said first attack signature and a 

. . . . J. , ,1 , ^ '.n inost closely matching training signature; and 

wherein said display cells are divided mto a plurality of 20 . ° o o » 

regions, said regions being configured lo indicate an adapting said secunly system to respond to a second one 

attack type and severity of said aftack. °[ P'""'"y f««^ ''"og 

8. A method of operating a dynamic network security characterized by a second attack signature that 
system to respond to a pluraUty of atucks on a computer resembles said first attack signature, 

network, said method comprising the steps of: 25 wherem said displaying step further comprises the step of 

training said security system to respond to a plurality of '^"='^6 " ''^l^" ^ "^"^ ^' '^^l """^ ^'^'^"/y 'yP^ 

training signamres, each of said training signatures said attack seventy of said first atUick^ 

representing one of a plurality of simulated attacks; ^ ™«'hod as claimed in claim 10 wherein said 

. . _ .j^ computer network has a multiplicity of nodes and said 

reccivmg a first attack signature, said first attack signature 3^ ^^^^^ f^^hcr comprises the steps of: 

being configured to characterize a first one of said a . . -j^.r ...^ 

plurality of attacks; """"'"S ^"'^ events on said nodes to form said first 

^ ' attack signature tor said first attack; 

comparing said first attack signature to each of said j^j^ ^^^^^ ^^^^ ^ 

trainmg signatures to determine which of said trainmg ^.^ detecting step; and 

signatures most closely matches said first attack signa- -i^ . ... ^ ^ . 

j^j^. notifying said security system of an outcome of said 

J. *. , , ^ . . . repulsing step. 

displaying attack status inforination m a network stanis jj. A method as claimed in claim U further comprising 

display in response to said first attack signature and a 

most closely matching training signature; and ... * ■ r 

° ^ '=> compiling said attack status information in response to 

adapting said security system to respond to a second one <o receiving step, said attack status information being 

of said plurality of attacks, said second attack being configured to include location identifiers and security 

characterized by a second attack signature that evem type identifiers for each of said security events in 

resembles said first attack signature, g^jj ^^.^j ^^^^^ 

wherein said network status display provides a two 13. A method as claimed in claim 10 further comprising 

dimensional image of said computer network, said the steps of: 

network status display being divided into a plurality of generating a mitigation list in response to said comparing 

display cells, and said training step comprises the steps step, said mitigation list being a catalogue of actions to 

take to mitigate said first attack; and 

performing a first one of said simulated attacks on said displaying said mitigation list. 

network, said first simulated attack having a fiisl train- 14. a method as claimed in claim 10 further comprising 

ing signature; ^^ic step of mitigating said first attack in response to said 

mapping said first training signature into one of said comparing step, 

display cells in response to said first simulated attack; 15. A method as claimed in claim 10 wherein: 

55 said first attack signature identifies at least one security 

repeating said performing and mapping steps for the event type and severity of said attack; and 

remaining ones of said training signatures. said displaying step displays said attack status infonna- 

9. A method as claimed in claim 8 wherein: tjon response to said at least one security event type 
each of said training signatures represents at least one and said attack severity. 

security event type and an attack severity for each of 60 16. A method as claimed in claim 10 wherein said 

said simulated attacks, said al least one security event adapting step further comprises the step of predicting a 

type being at least one of a plurality of known security pattern of subsequent attacks, said subsequent attacks being 

event types, each of said known security event types characterized by subsequent signatures that resemble said 

causing an anti-security effect on said computer first attack signature. 

network, and said attack severity being a level of 65 17. A method of operating a dynamic network security 

security breach said simulated attack causes said com- system to respond to a plurality of attacks on a computer 

putcr network; and network, said method comprising the steps of: 
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training said security system to respond to a plurality of 
training signatures, each of said training signatures 
representing one of a plurality of simulated attacks; 

receiving a first attack signature, said first attack signature 
being configured to characterize a first one of said 5 
plurality of attacks; 

comparing said first attack signature to each of said 
training signatures to detemiine which of said training 
signatures most closely matches said first attack signa- 
ture; 

displaying attack status information in a network status 
display in response to said first attack signature and a 
most closely matching training signature; and 

adapting said security system to respond to a second one 15 
of said plurality of attacks, said second attack being 
characterized by a second attack signature that 
resembles said first attack signature, 

wherein said adapting step comprises the steps of: 

introducing said first attack signature to said security 20 
system as a new training signature; and 

mapping said new training signature into said network 
status display. 

18. A method of operating a dynamic network security 
system to respond to a first and a second attack on a 
computer network, said computer network having a multi- 
plicity of nodes, said method comprising the steps of: 

training said security system to respond to a plurality of 
training signatures, each of said training signatures 
representing one of a plurality of simulated attacks; 

detecting security events on said nodes to form a first 
attack signature representing said first attack, each of 
said security events causing an anti -security effect on 
said computer network; 35 

comparing said first attack signature to each of said 
training signatures to determine which of said training 
signatures most closely resembles said first attack sig- 
nature; 

generating a mitigation list, said mitigation list being a 
catalogue of actions to lake to mitigate said first attack; 



14 

displaying attack status information and said mitigation 
list in a network status display in response to said first 
attack signature and a most closely matching training 
signature, said attack status information being config- 
ured to include location identifiers and a security event 
type for each of said security events; 

mitigating said attack; and 

adapting said security system to respond to said second 
attack, said second attack being characterized by a 
second attack signature that most closely resembles 
said first attack signature, 

wherein said network status display provides a two 
dimensional image of said computer network, said 
network status display being divided into a plurality of 
display cells, and said training step comprises the steps 
of: 

performing a first one of said simulated attacks on said 
network, said first simulated attack having a first train- 
ing signature; 

mapping said first training signature into one of said 
di^lay cells in response to at least one security event 
type and an attack severity for said first training 
signature, 

said at least one security event type being at least one of 
a plurality of known security event types, each of said 
known security event types being configured to cause 
an anti-security effect on said computer network, and 
said attack severity being a level of security breach said 
simulated attack causes said computer network; and 

repeating said performing and mapping steps for remain- 
ing ones of said training signatures, 

19. A method as claimed in claim 18 further comprising 
the steps of: 

repulsing said security events at said nodes in response to 

said delecting step; and 
notifying an operator of an outcome of said repulsing step. 

* « « « * 
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